Businesses across the globe face mounting pressures to ensure the security, privacy, and regulatory compliance of their UC and collaboration platforms. Teams has emerged as one of the most trusted solutions to address this need. However, to fully leverage the capabilities of Teams while maintaining compliance with such a wide array of industry regulations, businesses must navigate a range of intricacies.
There are various factors businesses need to factor into their thinking on successful Teams compliance, from data governance and security to eDiscovery. By understanding the compliance capabilities of Teams and introducing best practices, businesses can embrace the platform while safeguarding sensitive information, mitigating risks, and meeting their compliance obligations.
With our latest Round Table subject, “Teams Compliance”, we spoke with experts and executives from Oak Innovation, Kurmi Software, Theta Lake and NuWave Communications about the key compliance challenges companies face in using Teams and what measures they can undertake to ensure a smooth process, the risks and consequences of non-compliance, and how AI might shape the landscape in the future.
What are the key compliance challenges that organizations face when using Microsoft Teams for unified communications?
Phillip Reynolds, Director at Oak Innovation
Reynolds argued that compliance ultimately comes down to how data is captured, managed and stored. “Whilst many organizations like to record Teams calls and meetings for reference,” Reynolds said, “those impacted by regulations like MiFID II, Dodd-Frank, PCI, GDPR or HIPAA must take additional steps to ensure those recordings are stored securely and often for some years. That’s where Teams native recording often falls short.”
Reynolds noted that Teams recording doesn’t include encryption or provide a systematic way to store and retrieve crucial recordings in the long term: “It provides limited control over who can access recordings.”
“At a very basic level, of course, Teams recording only records Teams conversations,” he added. “If an organization uses Teams alongside other telephony as many do, and compliance is a priority, then they need to ensure that all calls are captured – not just Teams, not just PSTN lines, both external and internal calls, screens as well as voice.”
Antoine Perrier, Head of Technical Account Sales at Kurmi Software
Perrier cites two primary compliance challenges that Kurmi sees organizations face when using Teams for UC purposes. “The first is data security and retention,” Perrier explained. “Microsoft Teams generates a vast amount of data, including chat messages, file uploads, and audio/video recordings. Organizations need to ensure that the sensitive data shared through Teams, such as customer information or intellectual property, is adequately protected, especially as regulations such as GDPR are increasingly implemented.”
The second challenge Kurmi often observe is delegation and access governance, which includes “defining user roles and permissions and ensuring that access to users’ data is properly classified and labelled”, he said. “Organizations must be able to guarantee that these permission and policy rules, set during the initial provisioning, do not change over time (configuration drift).”
Garth Landers, Director of Global Product Marketing at Theta Lake
Landers argued that, for compliance reviewers, it could be difficult to follow the context of a conversation. This is particularly true if, for example, the compliance tools being used aren’t able to maintain the context and fidelity of the chat.
“Chat is dynamic and contains ingredients like emojis, reactions, images/memes and files/links,” Landers said. “If you are not capturing these and understanding the context, it can be very difficult to ascertain and identify risk. In-Meeting chat also has to be captured- for the same reasons, along with Q & A, polls and whiteboards.”
“We are only talking about Teams here, but the related Microsoft ecosystem, which works with and is intertwined with Teams, is also in scope because users are not just relegated to Teams,” Landers continued. “Teams involves and uses SharePoint, OneDrive and Viva Engage (formerly known as Yammer). Theta Lake delivers a seamless, integrated and comprehensive approach to addressing all of these in a non-disruptive, modular manner.”
David Spears, Chief Product Officer at NuWave Communications
Spears outlined myriad challenges involved with Teams compliance, including data privacy, as “UC&C systems often involve the exchange of sensitive information, such as personal data, financial records, or confidential business data. Organizations must ensure compliance with relevant data privacy regulations like the General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA).”
Spears also noted the importance of recordkeeping and retention, as many industries have specific requirements, as well as e-Discovery and legal hold for the event of litigation or regulatory investigations.
Spears also mentioned the significance of security and authentication because “UC&C systems require strong security measures to protect against unauthorized access, data breaches, and potential cyber threats. Compliance with industry-specific security standards, such as HIPAA for healthcare or PCI DSS for payment card data, may be necessary.”
Spears also highlighted the importance of compliance training and awareness, the potential obstacle of cross-border data transfer restrictions, and the possible complications of third-party service provider compliance regulations.
What measures can organizations take to ensure they are using Microsoft Teams in a compliant manner, especially in industries with strict regulatory frameworks?
David Spears, Chief Product Officer at NuWave Communications
Spears argued that organizations should ensure their compliance through a series of approaches. Specifically, companies should work with “data privacy regulations, establish recordkeeping and retention policies, enable e-Discovery capabilities, implement strong security measures and authentication protocols, provide compliance training to employees, comply with cross-border data transfer regulations, and conduct due diligence on third-party providers.”
Antoine Perrier, Head of Technical Account Sales at Kurmi Software
Perrier agreed that organizations must develop a comprehensive compliance strategy. They should “establish clear policies and procedures, leverage built-in security and compliance features provided by Microsoft Teams, and regularly review and update their compliance measures based on evolving regulatory requirements,” he said.
Perrier also suggested using a UC and collaboration provisioning and automation tool to help, citing Kurmi’s Provisioning Suite, which “can provide visibility into existing organizational and end-user settings within Microsoft Teams and help to ensure that these policies and procedures are implemented accurately and consistently.”
Perrier highlighted Kurmi’s Role Based Access Control (RBAC), through which organizations can establish permissions based on role to ensure that administrative users have access only to the resources and actions necessary to perform their specific tasks.
Garth Landers, Director of Global Product Marketing at Theta Lake
Landers argued that in regulated industries, it’s too easy to be sceptical of embracing new features and functions in UC platforms like MS Teams. “This happens because firms believe the challenge of maintaining compliance is just too hard and possibly disruptive to address,” Landers said, “so end users lose out by missing out on productivity gains, and firms end up not maximizing the investment they have made in platforms like Teams.”
Landers continued: “So how can firms do this without adding additional resources in compliance review or disruptive technology approaches? Leveraging a platform like Theta Lake will empower you to embrace all of the functionality you might be saying no to, like video or in-meeting chat, edit and delete functions or anything MS Teams has to offer.”
Landers added that Theta Lake could address any gaps in compliance coverage by capturing all necessary data — including meeting chat, video chat and voice in its full context and fidelity. “We can do that by fitting into your existing archive and storage infrastructure, and we can do it in a light touch, quickly delivered and highly repeatable manner,” he said. “You can buy only what you need based on channel/number of users.”
Phillip Reynolds, Director at Oak Innovation
Reynolds stated that organizations have a responsibility to be conscious of any regulations that affect them and have to take measures to ensure compliance. “That means knowing how Teams helps them to do that and where third-party software may be needed to bridge any gaps,” Reynolds said.
“The financial services industry is a clear example of where data must be stored securely for reasons of accountability and data protection,” Reynolds expanded before pointing out that compliance affects other sectors, too, at different levels. “Local authorities, for instance, are big Teams customers thanks to subsidized rates and have diverse and complex needs.”
“They look to third-party call recording solutions to support PCI compliance when taking card payments over the phone, where features like automated pause and resume bypass the need to manually press a button. They may also need to delete or prevent recordings with some customers under GDPR or, conversely, want to retain certain conversation trails for court cases, which must be presented in an encrypted format.”
What are the potential risks and consequences of non-compliance when using Microsoft Teams, and how can organizations mitigate them effectively?
Garth Landers, Director of Global Product Marketing at Theta Lake
To emphasise the potential financial risk of noncompliance, Landers highlighted that, over the last two years, there had been over $2 billion in fines and sanctions in the financial services industry for unmonitored communications usage. “Obviously, regulators take this very seriously,” he said. “In addition to the financial implications, there can be negative fallout in terms of brand reputation and publicity. The implications of this can be far-reaching and enduring.”
Phillip Reynolds, Director at Oak Innovation
Reynolds also noted the far-ranging and enduring risks of non-compliance, ranging from “poor customer service (‘Sorry Sir, we cannot provide your call transcript’) to huge fines, prison sentences and reputational damage.”
“It comes down to knowing which specific parts of regulations impact your organization and ensuring that any Teams solution ticks all your boxes,” Reynolds continued. “For example, financial services companies must record any conversations pertaining to a transaction – that includes internal as well as external calls. Not all third-party recorders can do that, so pick wisely, looking for solutions that use Graph API integration.”
Reynolds also suggested that where a company’s calls are stored can come into play. “Do you want them in your own data centre or private cloud or in Azure to keep things tidy? HIPAA requires that both the healthcare organization and their solution provider take responsibility for their respective parts; bringing in an additional storage company adds further complexity.”
David Spears, Chief Product Officer at NuWave Communications
Spears also maintained that failure to address compliance issues could lead to myriad problems for businesses. These include “data breaches, non-compliance penalties, legal consequences, loss of customer trust, compliance audit failures, increased vulnerability to cyberattacks, and inefficient workflows”. “It is essential for organizations to prioritize compliance measures to mitigate risks and protect their business interests,” he explained.
Antoine Perrier, Head of Technical Account Sales at Kurmi Software
Perrier also cited audits, hefty fines and consumer mistrust as major risks of non-compliance. “Using a Unified Communications and Collaboration provisioning and automation tool, such as Kurmi Provisioning Suite, can help to mitigate risk and validate compliance during audits,” he commented.
“In case of a security incident or compliance violation, Kurmi provides tracking and analysis of user activities based on their roles, simplifying the investigation process,” Perrier expanded. “Kurmi Provisioning Suite also monitors configuration drift and provides a quick and easy way to check for any discrepancies.”
How could the compliance landscape change with the introduction of more AI-powered tools?
Antoine Perrier, Head of Technical Account Sales at Kurmi Software
Perrier believed that the introduction of more AI-powered tools in UC, for example, in analytics and reporting, could bring about significant changes in the compliance landscape. “AI-powered analytics tools can process large volumes of data from UC platforms, enabling organizations to gain deeper insights into their communications patterns, trends, and behaviours,” Perrier said. “This enhanced data analysis may provide organizations with better visibility into compliance risks and violations.”
Perrier also suggested that AI could help identify potential issues like unauthorized data sharing, inappropriate content, or non-compliant behaviour. “AI-powered tools can also automate certain compliance processes, making them more efficient and reducing the risk of human error,” he added.
“For example, AI can assist in automatically classifying and tagging communications based on their sensitivity, applying appropriate retention policies, or flagging non-compliant content. Automation can help ensure consistent compliance practices and reduce manual effort.”
David Spears, Chief Product Officer at NuWave Communications
Spears argued that the use of AI, including chatbots like Chat GPT, creates new complexities and considerations for compliance in areas such as data privacy, recordkeeping, D-discovery, security, and training. “Organizations must adapt their compliance strategies to account for the specific challenges and opportunities presented by the use of AI technologies,” Spears said.
“Ensuring robust data protection, proper configuration for e-Discovery, strong security measures, and addressing AI ethics and biases is crucial for responsible AI deployment and compliance adherence,” Spears continued. “Regular assessments, transparency, and a proactive approach to addressing compliance in AI applications are essential to mitigate risks and ensure responsible AI deployment.”
Garth Landers, Director of Global Product Marketing at Theta Lake
Landers argued that AI is an important, compelling “ingredient” but shouldn’t be viewed as a panacea. Instead, Landers cited one potential tangible use case as “more of an assistive technology to help users like compliance reviewers scale their efforts to identify potential risks”.
“At Theta Lake, we recommended, based on our work with clients, that you capture and manage the essential data first,” Landers explained. “Having the right data where conversations, interactions and transactions take place is essential in shaping and delivering the outcomes you want in an AI-assisted use case.”
Landers mentioned Theta Lake’s “out of the box” approach to AI solutions by delivering almost 100 pre-built classifications covering regulatory rules, behavioural analysis, sexual harassment and other organizational policies. “Too many organizations today are engaging with providers that are all too happy to deliver a services-based engagement around ‘AI’ that has fuzzy and difficult-to-measure outcomes and, worse, isn’t capturing the right data,” Landers said.
Phillip Reynolds, Director at Oak Innovation
Reynolds concluded by identifying an AI-powered tool that could help ensure that compliance objectives are being met by “interacting with compliance-based software and confirming that any necessary actions have been taken with regard to recording all relevant conversations”.
